TOP 8 ECRET//C OMINT//N OFORN 



NATIONAL SECURITY AGENCY 

FORT GEORGE G. MEADE. MARYLAND 20755-6000 



MEMORANDUM FOR STAFF DIRECTOR, HOUSE PERMANENT SELECT 
COMMITTEE ON INTELLIGENCE 



SUBJECT: (U) Notification and Update - INFORMATION MEMORANDUM 

(U) This is to provide written notification on matters brought to the Committee’s 
attention by way of oral notification to Committee staff directors on June 25, 2009. 



( TS//SI//NF ) O ver the past several months, working with the Department of Justice 
(DoJ) and the Office of the Director of National Intelligence (ODNI), NSA has been 
systematically reviewing its technologies and methods of handling the Business 
Records (BR) and Pen Register/Trap & Trace (PR/TT) data we obtain under Orders 
of the Foreign Intelligence Surveillance Court (FISC). These reviews have 
uncovered several compliance matters that we have disclosed to the Court and this 
Committee. In large part, these compliance issues concern internal information 
systems arid 

Inadequate attenuor^^nes^nTerna^ystem^n^riei^ysiem^rcnitecture 
resulted in a failure to fully comply with the procedures the Court imposed in the 
handling of data under the FISC Order. NSA is identifying, reporting, and 
remediating these matters. 



( TS//S 1 //N F W e have made substantial progress along these lines, and the enclosed 
report on the Business Records FISA end-to-end review details our progress thus 
far. As the report is highly technical in part, we offer to provide a briefing outlining 
our findings. We will provide additional information as it emerges; in particular, we 
will need to supplement the report with an additional section recently required by 
the FISC, as discussed in section 3. Once work on the additional required sectior 
has been completed, a supplement to the report will be prepared and provided to the 
Committee. The joint review process is ongoing, and we will continue to keep the 
Committee informed. 



( TS//SI//NF1 C onsistent with this commitment, NSA has begun a comprehensive 
review of the PR/TT platform that operates pursuant to FISC authority. This 
PR/TT review will mirror closely the rigorous review process of the BR platform. 

(U) As these reviews uncover new issues, we will continue to work to resolve them 
with the FISC. The Court has recently approved several aspects of our work that we 
had earlier reported, and these are detailed below. At the same time, the Court 
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ordered additional new weekly reporting requirements to insure compliance with 
the Court’s orders. We will continue to move through this process in the same 
spirit: rigorous self-examination; transparency with ODNI, DoJ, the FISC, and the 
Committee; and implementation of corrective actions and internal controls to 
monitor compliance. 

1. (TS//SI//NF) PR/TT Metadata and the Development of a Master “Defeat” List 



( TS//SI//NF) I n a notification to the Committee dated June 12, 2009 NSA described 
its development and use of a master “defeat” list in which NSA used PR/TT 
metadata to compile a master list to 



block the ingest of, or purge already ingested unwanted information T rom several 
NSA data repositories. A^jenortecHo the Coi^^^^^ this matter was the subjec t 
of a FISC Order dated In that ^^^^Drder, the FISC authorized 

NSA to continue to use the master “defeat” list for an additional 20 days at which 
time the Agency had to either stop using the list or satisfy the Court as to why 
NSA’s continued use of the list was necessary and appropriate, and why any 
ongoing use of PR/TT metadata in this manner was consistent with the Court’s 
order and was otherwise appropriate. 

having considered the Government’s response, the 

FISC issued a subsequent Order in which the Court found the defeat list reasonable 
and appropriate. Accordingly, the Order authorizes NSA to continue with its 
practices of u s i r^^T^^xis^uyuastet^dofoaFMis^m d adding new selectors to it for 
of to PR/TT and non- 

PR/TT metadata repositories. 




2. (TS//SI//NF ) Sharing PR/TT Metadata Analytic Results with NSA non-PR/TT 
Cleared Analysts. 

< TS//S . I//NF ) The notification of^^^J^^^Jalso described NSA’s practice of 
sharing the unminimized result^^roperl^predicated queries of PR/TT metadata 
with non-PR/TT -cleared NSA analysts. As reportecHc^he Committee^hm matter 
was also a subject of the FISC Order dated In that Order, 

the FISC authorized NSA to continue with this sharing practice for an additional 20 
days at which time the Agency had to either stop the sharing practice or satisfy the 
Court as to why the sharing practice was necessary and appropriate on an ongoing 
basis. 

(U) having considered the Government’s response, the FISC 

issued a subsequent Order in which the Court found that this sharing practice was 
acceptable under the condition that the sharing occur only with analysts who have 
received “appropriate and adequate training and guidance regarding all rules and 
restrictions governing the use, storage, and dissemination of such information.” 
NSA, in coordination with DoJ, is reviewing its training of analysts on the rules and 
restrictions. 
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3. (U) Compliance With FISC Ordered Minimization Procedures 

( TS//SI//NF ) To maximize the utility of the BR and PR/TT metadata, NSA shared 
the results of some authorized NSA analysis of the metadata with analysts in the 
larger intelligence community (IC). This occurred through the dissemination of 
reports and through databases constructed to allow IC counter-terrorism analysts 
to submit requests for information (RFIs) regarding metadata analysis conducted by 
authorized NSA analysts based on RAS-approved selectors. These databases also 
facilitated the sharing of target knowledge. Over time, approximately 200 analysts 
from CIA, FBI, and NCTC were granted access to these databases. While the 
collaborative objective of the databases was achieved, NSA analysts stored 
unminimized metadata analytic results responsive to these RFIs and target 
knowledge information in these databases. The analytic results consisted of 
narrative text describing analytic findings from the results of chaining of selectors 
(but not the content of any communication) in the BR and PR/TT metadata. As the 
IC analysts had access to the databases, this practice was not consistent with the 
FISC Orders that required the application of Court-prescribed minimization 
procedures prior to dissemination of analytic results outside of NSA unless a 
determination had been made by a named official that the U.S. Person information 
was related to counterterrorism information and was necessary to understand the 
counterterrorism information or to assess its importance. 





(U) Upon discovery of the manual connection^^fcnen to these NSA databases (the 
URL link^JS^jlockod this access and reported the matter to 

DoJ. On filed with the FISC a notice of non-compliance 

concerning this matter in accordance with Rule 10 (c) of the FISC Rules of 
Procedure. 
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( TS//SI//NF ) In its^^^^^mOrder, the Court folded this matter into a broader 
analysis of NSA’s compliance with procedures relating to the minimization and 
dissemination of metadata containing U.S. person information. The Court 
expressed “grave” concern over the lack of apparent NSA compliance with the Court 
ordered minimization procedurg^mnUn^joy^the practice of sharing the metadata 

to the procedure for dissemmatin^u!l^person information when necessary to 
understand the counterterrorism information or to assess its importance. As to this 
latter concern, while the PR/TT Order lists, as proposed by the Government, a 
specific NSA official for this purpose and the specific determination to be made, 
some authorizations to disseminate this information were made by other senior 
officials. While these officials were responsible for making these same 
determinations concerning release of U.S. person information relating to 
intelligence collected under Executive Order 12333, the Government did not propose 
and thus the FISC Order did not list these officials for the same purpose in relation 
to the PR/TT metadata and did not permit the PR/TT metadata (or BR metadata) to 
be disseminated upon exactly the same determination permitted under Executive 
Order 12333. 

(TS//SI//NF ) As a residt^h^Court ordered additional action by the Government. 
First, commencing on the Government is required to file a report with 

the Court for the preceding week that lists every instance in which NSA has 
disseminated outside NSA any information, regardless of form, derived from PR/TT 
or BR FISA material. Secondly, NSA is required to include within the end-to-end 
reviews of the BR and PR/TT programs a full explanation of “why the government 
permitted the dissemination outside NSA of U.S. person information without regard 
to whether such dissemination complied with the clear and acknowledged 
requirements for sharing U.S. person information derived from the metadata 
collected pursuant to the Court’s orders.” 



4. (TS//SI//NF ) Use of Correlated Selectors to Query the BR FISA Metadata 



(S//SI//REL TQ USA, FVEY ) The analysis of SIGINT relies on many techniques to 
more fully understand the data. One technique commonly used is correlated 
selectors. A communications address, or selector, is considered correlated with 
other communications addresses when each additional address is shown to identify 
the same communicant as the original address. 
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( 4 r3//f)l//NI i ) NSA analysts authorized to query the BR FISA metadata routinely 

FISA melaciata. in other woTcPil a reasonable^rircu I abTe suspicion (RAS) 
determination was made on any one of the selectors in the correlation, all were 
consj^j^d RAS appro^y^yj^rposes of the query since all were associated wit ) 

thef^^^ 
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While NSA had previously described to the FISC the practice of using 
RAS-approved correlated selectors as seeds, NSA did not request and the FISC did 
not rule upon whether it was appropriate to deem as RAS-approved all selectors n 
a correlation if a reasonable articulable suspicion (RAS) determination was markon 
an^me of the selectors in that correlation. The practice was ended and on pililllH 
!HB1| DoJ filed a notice of non-compliance with the FISC pursuant to Rule 10 (c) of 
the FISC Rules of Procedure. We will be working with ODNI and with the Justice 
Department to seek the Court’s approval to use correlated selectors to query data. 



(U) Because our reviews are continuing, and because of our commitment to full 
disclosure and transparency, there is a significant possibility that we will discover 
additional matters which we will report and resolve. The Committee's continued 
understanding is appreciated, and we welcome your questions. 




FORREST WILLIAMS 
Deputy Associate Director 
Legislative Affairs Office 



Copy Furnished: 

Minority Staff Director, 

House Permanent Select 
Committee on Intelligence 

Enclosure: 

End to End Review of Business Records Foreign 
Intelligence Surveillance Act Report 



TOPSECRKT//COMINT//NOFORN 





